Getty Images

HHS Settles HIPAA Investigation With St. Joseph’s Over PHI Disclosure to Media

HHS launched a HIPAA investigation into St. Joseph’s Medical Center and determined that the organization had disclosed three patients’ protected health information to the Associated Press.

The HHS Office for Civil Rights (OCR) completed a HIPAA investigation into New York-based Saint Joseph’s Medical Center following claims that the organization had impermissibly disclosed COVID-19 patients’ protected health information (PHI) to a news reporter. Saint Joseph’s Medical Center agreed to pay $80,000 to OCR and implement corrective actions.

OCR launched the investigation following the publication of an article by the Associated Press about the academic medical center’s response to the COVID-19 pandemic. The article included photographs and information about three COVID-19 patients, including diagnoses, current medical statuses and prognoses, vital signs, and treatment plans.

Further investigation determined that Saint Joseph’s had provided the information to the Associated Press without first obtaining written consent from the three patients.

Under the HIPAA Privacy Rule, covered entities may only disclose PHI if the individual authorizes it in writing.

In addition to the $80,000 paid to OCR, Saint Joseph’s agreed to review and revise its privacy policies and ensure that all workforce members sign a compliance certification before obtaining access to any PHI.

The corrective actions were largely focused on refining the organization’s processes for the disclosure of PHI and establishing internal reporting procedures to prevent future impermissible PHI disclosures.

“When receiving medical care in hospitals and emergency rooms, patients should not have to worry that providers may disclose their health information to the media without their authorization,” Melanie Fontes Rainer, OCR’s director, stated in the announcement.

“Providers must be vigilant about patient privacy and take necessary steps to protect it and follow the law. The Office for Civil Rights will continue to take enforcement actions that puts patient privacy first.”

Next Steps

Dig Deeper on HIPAA compliance and regulation